This container contains scripts to demonstrate resource exhaustion from within a Kubernetes clusters:
- Allocate all remaining RAM
- Allocate all remaining disk space
- Fork bomb all the things! (on courtesy of Chris who also demonstrated that in one of our last presentations)
- inode exhaustion
Those exhaustion attacks work in many K8s environments as default settings do not include proper resource limits - and each of those can/does render one node useless (which will spread through the cluster when pods from failed nodes get rescheduled).
Hardening measures are added to dosploy.yaml and listed below:
- Memory Restrictions
- Ephemeral Storage Limits
- Keep in mind that storage limits may not apply to other volumes attached to a pod.
- Pod PID Limit
- The PID limit is configured on the
kubeletlevel and applies to all pods, i.e. you cannot configure individual PID limits per pod.
- The PID limit is configured on the
- inode exhaustion: I am not aware of a Kubernetes-native way of restricting this exhaustion attack. There are ways to use loopback mounts per container and the like but it seems like a lot of operational effort.